With Sen. Kamala Harris joining the field of 2020 hopefuls, three out of three Democratic senators now running for president have pushed for major cyber policy reforms -- from cracking down on election interference to stemming the flood of data breaches.
Harris (Calif.) was a sponsor of the most successful bipartisan election cybersecurity bill last Congress while Sen. Kirsten Gillibrand (N.Y.) backed a separate bill that would have launched a 9/11 Commission-style investigation into Russian interference in the 2016 election. Sen. Elizabeth Warren (D-Mass.), meanwhile, introduced legislation in the wake of the massive Equifax data breach to ratchet up consequences for credit ratings agencies that fail to protect people’s data.
This sets the stage for cybersecurity — traditionally a fringe issue during presidential races — to be a big part of the national conversation during the 2020 contest. Democratic senators will almost certainly seek to turn cybersecurity into a wedge issue to attack President Trump, who has been hesitant to acknowledge Russia’s culpability for a hacking and disinformation campaign to influence the 2016 election in his favor.
“RT if you agree: Americans deserve a transparent, independent investigation into Russia’s involvement with the Trump camp.” Harris tweeted on Valentine’s Day 2017 in what could be a model for calling out the president on cyber issues.
RT if you agree: Americans deserve a transparent, independent investigation into Russia’s involvement with the Trump camp.— Kamala Harris (@KamalaHarris) February 15, 2017
This marks a big change from pre-2016 election cycles when the topic was barely discussed-- and a broader debate over cybersecurity policy was virtually unheard of. Even during the 2016 contest, the candidates mostly bickered about the security of former secretary of state Hillary Clinton’s private email server and whether Trump would embrace intelligence agencies’ October conclusion that Russia was behind political hacks at the Democratic National Committee.
This cycle, cybersecurity could prove an important issue to the Democratic base: Democrats are both more concerned about election security and more skeptical of the government’s ability to manage a major cyberattack than Republicans, according to recent public opinion polls. And the 2020 candidates entering the race with lengthy cyber policy records have the potential to be judged on their accomplishments on this complex topic -- and are likely to face tough questions about Russian hacking and disinformation operations, election security and Chinese intellectual property theft.
Harris, who joined the Senate only in 2016, has the most substantive cyber record among the candidates so far. As a member of the Senate's Homeland Security, Intelligence and Judiciary committees, she's at the heart of the cybersecurity policy action on the Hill.
She was one of five co-sponsors of the Secure Elections Act, the election security measure that came closest to becoming law last Congress, and helped deliver $380 million in election security money to states. She was also a co-sponsor on a separate bill from Sen. Ron Wyden (D-Ore.) that would require all elections to use paper ballots, a mandate favored by security experts.
She's also focused on Chinese cyber threats, introducing legislation that would make it easier for U.S. companies to sue foreign actors including China for digital intellectual property theft.
Harris also sponsored smaller legislation that would create a cyber workforce exchange program between the Homeland Security Department and the private sector and upgrade cybersecurity at U.S. ports. As California’s attorney general, she built up the state’s ability to fight digital crimes, including identity theft.
Harris has been a frequent critic of Trump on cyber issues. Most recently, she lashed out at Trump’s assertion without evidence that China was interfering in the midterm elections, penning a letter with other Democrats asking the director of national intelligence to either back up Trump’s assertion or refute it.
Gillibrand’s cyber focus has largely been on getting to the bottom of Russia’s 2016 election interference. She cosponsored a bill in 2017 with Sen. Lindsey Graham (R-S.C.) to launch a 9/11 Commission-style investigation into Moscow's hacking and influence operations and make recommendations for future elections, though it did not pass.
Our country’s election systems remain vulnerable to cyber attack. We must figure out how we are vulnerable and how we can fix it.— Kirsten Gillibrand (@SenGillibrand) September 15, 2017
She also sponsored a 2010 bill with then-Sen. and later Secretary of State John F. Kerry to create a top cyber diplomat post at the State Department, a move the agency made on its own a year later. The Trump administration eliminated that position last year.
Warren, a longtime critic of the financial sector who serves on the Senate Banking Committee, has focused most of her cyber work on holding companies in that sector accountable for breaches. A bill she introduce with Sen. Mark R. Warner (D-Va.) in the wake of the Equifax breach would have imposed fines in the billions for similar breaches.
Gillibrand and Warner were also among 19 Senate Democrats who penned a letter urging the Trump administration to rethink its decision to eliminate the role of White House cybersecurity coordinator.
As the campaign heats up, expect these Democratic senators to take even more opportunities to position themselves against Trump -- and further outline their own policy positions.
They've already started laying the groundwork during their time in the Senate. Shortly after the president’s July summit with Russian President Vladimir Putin in Helsinki, for example, Gillibrand tweeted: “.@realDonaldTrump, instead of inviting Putin to the White House, how about you condemn him, and hold him accountable, for Russia’s interference in the 2016 elections and their continuing efforts to undermine our democracy?”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: U.S. senators from Virginia and Maryland urged Metro to investigate the Chinese spying risk from a possible contract with the state-owned China Railway Rolling Stock Corp. to build up to 800 subway cars, The Washington Post's Robert McCartney reported. “In a letter to Metro General Manager Paul J. Wiedefeld, the lawmakers say the transit agency should get approval from the Defense Department, Department of Homeland Security and Transportation Department before awarding the contract for its next-generation rail cars to a foreign adversary,” my colleague wrote.
Sens. Mark R. Warner (D-Va.), Tim Kaine (D-Va.), Ben Cardin (D-Md.) and Chris Van Hollen (D-Md.) said that automatic train control and video surveillance are among the types of technology that could be added to the 8000-series rail cars. “Many of these technologies could be entirely susceptible to hacking, or other forms of interference, if adequate protections are not in place to ensure they are sourced from safe and reliable suppliers,” the senators said. They did not mention China by name in their letter but it was clear that Beijing was the subject of their concern, according to Robert.
“Metro’s response was mixed,” my colleague wrote. “Wiedefeld issued a brief statement saying the agency was strengthening its protections against cyberespionage, while Metro Board Chairman Jack Evans criticized the senators.”
PATCHED: The risk that industrial robots used in factories or hospitals could be hacked has risen as those machines become increasingly connected to the Internet, the Wall Street Journal's Timothy W. Martin reported. Moreover, the rollout of 5G networks will help accelerate the connection of industrial robots to the Internet in smart factories, making those hacking threats even more acute. For instance, hackers could seek to obtain control over the robots or hit them with ransomware, the Journal reported. “There’s no concept of antivirus for your robot. It just doesn’t really exist yet,” Yossi Naar, a co-founder of the cybersecurity company Cybereason, told Martin. “So protection tends to be very lax to nonexistent.”
However, one factor that can complicate hackers' attempts to compromise industrial robots is their price. “The machines often cost tens of thousands of dollars, if not much more, meaning hackers — for now — can’t easily obtain an industrial robot to dissect and study for cyber infiltration,” according to the Journal. “But prices will eventually fall and industrial robots will become more widespread, bolstering the need to fortify cyber defenses before that time comes.”
PWNED: Lawmakers in Washington are warning that doctored videos known as “deepfakes,” which artificial intelligence technology can make look extremely realistic, could be weaponized to carry out disinformation campaigns, the Hill's Olivia Beavers reported. Sen. Mark R. Warner (D-Va.), the Senate Intelligence Committee's vice chairman, said he may introduce legislation to address such manipulated videos. “It is almost too late to sound the alarm before this technology is released — it has been unleashed … and now we are playing a bit of defense,” Warner told Beavers.
Sen. Marco Rubio (R-Fla.), who also sits on the Senate Intelligence Committee, said in a statement to the Hill that deepfakes represent a real threat. “America’s enemies are already using fake images to sow discontent and divide us,” Rubio said. “Now imagine the power of a video that appears to show stolen ballots, salacious comments from a political leader, or innocent civilians killed in conflict abroad.”
— Sen. Ron Wyden (D-Ore.) admonished T-Mobile chief executive John Legere over the sale by the carrier of its customers' cellphone location information to third-party companies, Motherboard's Karl Bode reported. “I write you today to express my disappointment and disbelief regarding T-Mobile’s continued partnership with companies that have enabled spying on Americans without their knowledge and consent,” Wyden said in a letter to Legere, according to Motherboard. “Your company’s continued sale of customer location data to these so-called ‘location aggregators’ is in direct contradiction to your ‘personal evaluation’ of the issue six months ago.”
This month, Motherboard reported that T-Mobile, Sprint and AT&T sold access to their customers' location information to third-party companies. “Wyden on Thursday also began to apply some additional pressure on other wireless carriers he claims have been negligent and secretive when it comes to treatment of this data,” according to Bode.
— Assistant Attorney General John Demers defended the Trump administration's policy of “naming and shaming” and indicting hackers who are tied to foreign states, according to FCW's Derek B. Johnson. “What the government is saying is not only, ‘We think this is happening’ or ‘We assess with a high likelihood this is happening,’ but it's saying ‘I can get up in court and prove every element of what I've laid out in this indictment beyond a reasonable doubt,’” Demers said during an event hosted by the Center for Strategic and International Studies, according to FCW.
— More cybersecurity news from the public sector:
— Facebook Chief Operating Officer Sheryl Sandberg said the social network and Germany's ministry for information security will join forces to combat election interference, according to the Wall Street Journal's Sara Germano. “The Integrity & Security Initiative will be a cooperation between Facebook, the German office and other companies and research partners, Ms. Sandberg said, ahead of European Union parliamentary elections this spring,” according to the Journal. “The German cybersecurity watchdog will spearhead the initiative, a person familiar with the matter said.”
— France is considering cracking down on Chinese telecommunications giant Huawei, according to Reuters. “France is considering introducing a bill amendment to empower its security and defence watchdogs to make retroactive checks to telecoms operators’ equipment once installed, targeting China’s Huawei, Les Echos newspaper reported on Monday without citing sources,” according to Reuters.
— More cybersecurity news from abroad:
- SANS Cyber Threat Intelligence Summit in Arlington, Va.
- Data Connectors’ Houston Cybersecurity Conference in Houston on Thursday.
- The Atlantic Council hosts an event titled “Cyber Risk Wednesday: Operationalizing Cyber Strategies” on Jan. 30.
Unpaid Pittsburgh TSA workers demand end to shutdown:
Lawmakers grasp for agreement to end shutdown:
Five ways the shutdown is affecting the economy: